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Welcome! 



• this is the non-live version of my slides 

o more text 
o standard PDF file ;) 

About me: 

• Reverse engineer 

• my website: http://corkami.com 

o reverse engineering & 
visual documentations 



I just like to play 
with lego blocks 




low-level ones, 
that is 




block by block 

generate files byte per byte 



*i)«ifcrt [Pf \0\0 



FILE 
H£AOE* 




-it jl IMAGE_DOS_HEP,L LP 

at JJ1RGE_DQ5_HEFDER.e_iiagic, dd 'MZ' 

at IMflGE_D05_HEFDER.e_lfanew, dd NT_Signature - IHRGEBFISE 

iend 

■JT_5ignature: 

IStruc IMflGENTHERDERS 

at mflGE_NT_HEFlDERS. Signature, db PE', 0, Q 

iend 

is true IMFIGE_F ILE_HEFIDER 

at IHFIGE_FILE_HEFIDER. dach 1 ne, dw IMfiGE_F ILE_MRCHINE_I3Ed 

at INRGE_FILE_HErlDER. Characteristics, dw IMRGEF ILE_EXECUTRBLE_It1FIGE 

iend 

istruc IMAGE OPTIONAL HEADER32 



Goals 

• explore the format 

• make sure that's how things 
work 

• full control over the structure 




IftAGEBASE t], 
org IMHGEBASE 

istruc IMRGE_ 
at IMHGE_ 
at IMflGE_ 

lend 

ITjigtiature; 
ist-Lc IMAGE, 
at IMAGE. 

i end 

istruc IMAGE, 
at IMAGE, 
at IMAGE, 

lend 

Istruc IMAGE, 
at IMAGE, 
at IMAGE, 
at IMAGE. 
;t IMAGE, 
at IMAGE, 
at IMAGE, 
at IMAGE, 
at IMAGE, 
at IMAGE. 

t end 

istruc IMAGE, 
lend 

EntryPoi nt: 
push 
pop ea* 
retn 



a complete executable 



DOSJEflDER 

DOSJEfliDER.ejagic, db "NT 
DOSJEABER.eJfaneu, dd »T_Sig nature - IMAGE BASE 



nt je aiders 

NT JEftDERS. Signature, db PE', 0, 0 
FlLEjEfiOEfi 

FILE JEflDER. Machine, dy I HflGE_FIL E_H RC H IN E_1 386 

FILE JEflDER. Characteristics, Jl I Mfl G E_F IL E_E XE C UT Fl BL E_I MflG E 



OPTIONAL JEADER32 
OPTIONAL JERDER3?. (lag ic, 
OPTIONAL JEADER32. AddressOf EntryPoi nt 
OPTIONAL J EA0ER32.IiageGase, 
OP TIO N AL J E AO ER3 2 , S ec t i o nfl 1 i gr, len t , 
OPTIONAL JEROERtt.Fi 1 efll ignient, 
pPTICNfliLJERDER32,l1ajor5ubsystemYers1cr> ! du a 
OPTIONAL JEADER32.SizE0f Image, dd SI2E0FIMRGE 

OPTIONAL jERDEMZ.SizeOf Headers, dd SIZEOFIMRGE - 1 ; required for XP 

OPTIONAL JEA0ER32. Subsystem, cu IMAGE_£UBS¥STEHJINDOHS_CJI 



cw IMAGE JT_0PTI0NALJDR32JflGIC 

cd EntryPoi nt - IMAGEGASE ; ro: strictly required 

cd IMAGEBASE ; not required under XP 

dd 1 

dd 1 



DflTR DIRECTORS 16 



result: 

• a complete executable 

• all bytes defined by hand 



our problem 



• is related to virus (malwares) 

• they use many file formats 

• it's critical to identify them reliably 

o and to tell whether corrupted or well-formed 



standard infection chain 



the most common chain: 

1 . a web page, in HTML format 

a. launching an applet 

2. an evil applet, in CLASS format 

a. exploiting a Java vulnerability 

b. dropping an executable 

3. a malicious executable, in Portable 



Executable format 
(a vast majority of malwares 
rely on an executable) 




Java 



another classic chain 

• open a PDF document 

o with an exploit inside 

■ dropping or downloading a PE executable 

• get a malicious executable on your machine 



the challenge 

it might look obvious: 

• tell whether it's a PDF, a PE, a JAVA, 
HTML... 

• typical formats are clearly defined 

o Magic signature enforced at offset 0 



reality 



some formats have no header at all 

• Command File (DOS 16 bits) 

• Master Boot record 

some formats don't need to start at offset 0 

• Archives (Zips, Rars...) 

• HTML 

o but text-only? 

some formats accept a large controllable block 
early in their header 

• Portable Executable 

• PICT image 



How did this start? 



a real-life problem: 

1. a (malicious) HTML page 

2. started with 'MZ' (the signature of PE 

3. just scanned as a PE! 

a. wow, this PE is highly corrupted :) 

b. it must be clean :p 



MZ ; 

HTML 




polyglots in the wild 

GIFAR = GIF + JAR 




• an uploaded image 

o an avatar in a forum 

• with a malicious JAVA appended as JAR 

hosted on the server! 

• bypass same domain policy 

• now useable via its JAVA=EVIL payload 



let's get started 



PE, the executable format of windows 

• it's central to windows malware 

• it enforces a magic signature at offset 0 

o game over for other formats? 



overview 

starts with a compulsory header 
made of sub-headers 



"MZ" DOS HEADER 




"PE" MT HEADERS 




FILE HEADER 



OPTIONAL HEADER 




DATA DIRECTORIES' 



I 



SECTIOM TABLE 



«ss3-£XP0RTS 
■IMPORTS 
-RESOURCES 



a historical sandwich 

1 . a deprecated but required header 

2. a modern header 

Header 

MZ 

DOS header 

since IBM PC-DOS 1.0 (1981) 

'modern' headers 

since Windows NT 3.1 (1993) 



old header content 

• almost completely ignoi 

• only required: 

o 2 byte signature 

o pointer to new header 



offset e DOS Header 







IMAG E_DOS_H EAD E R 


00 + 2 


g maa i c MZ 

III 1 %^ 1 1 


02+2 


ecb 1 p 


04+2 


e_cp exe size 


06+2 


e_crl c 


08+2 


e_cparhdr exe start 


0a+2 


e_mi nal 1 oc 


0c+2 


e_rnaxal 1 oc 


0e+2 


e_ss initial ss 


10+2 


e_sp initial sp 


1 d + d 


6 C5UII1 


14+2 


e_ip 


16+2 


e_cs 


18+2 


e_lfarlc 


la+2 


e_ovno 


lc+2 


e_res[4] 


24+2 


e_oemi d 


26+2 


e_oemi nf o 


28+2 


e_res2[ 10] 


3c+4 


e_lfaneu 1 




} 



the new header can be 

anywhere 



ex: at the end of the file! 
such as Corkami Standard Test 




let's look at HTML format 



HTML 




it 



enforces NOTHING! 



anything before the <html> tag! 
even 28 Mb of binary! 





01HD JjiHtl 


































■ 








OO 


oo 


oo 


OO . 


OO 


oo 


oo 


oo 


.oo 


oo 


oo 


oo 


.00 


■ 








01A5B2B0 


00 


00 


00 


00. 


00 


00 


00 


00 


.00 


00 


00 


00 


.00 










Bo 








01A4B2C0 


3C 


68 


74 


6D. 


6C 


3E 


0D 


0A 


.3C 


62 


6F 


64 


.79 


3E 


3C 


73 


<htnl>JS<bodi|><s 


01A4B2D0 


74 


79 


6C 


65. 


3E 


62 


6F 


64 


.79 


20 


7B 


20 


.76 


69 


73 


69 


tyle>body { gisi 


01A4B2E0 


62 


69 


6C 


69. 


74 


79 


3A 


68 


.69 


64 


64 


65 


.6E 


3B 


7D 


20 


bility: hidden ;> 


01A4B2F0 


2E 


6E 


20 


7B. 


20 


76 


69 


73 


.69 


62 


69 


6C 


.69 


74 


79 


3A 


.n < visibility: 


01A4B300 


20 


76 


69 


73. 


69 


62 


6C 


65 


.3B 


20 


70 


6F 


.73 


69 


74 


69 


uisible; positi 


01A4B310 


6F 


6E 


3A 


20. 


61 


62 


73 


6F 


.6C 


75 


74 


65 


.3B 


20 


70 


61 


on: absolute; pa 


01A4B320 


64 


64 


69 


6E. 


67 


3A 


20 


30 


.20 


31 


65 


78 


.20 


30 


20 


31 


dding: 0 lex 0 1 


01A4B330 


65 


78 


3B 


20. 


6D 


61 


72 


67 


.69 


6E 


3A 


20 


.30 


3B 


20 


74 


ex; margin: 0; t 


01A4B340 


6F 


70 


3A 


20. 


30 


3B 


20 


6C 


.65 


66 


74 


3A 


.20 


30 


3B 


20 


op: 0; left: 0; 


01A4B350 


7D 


20 


68 


31. 


20 


7B 


20 


6D 


.61 


72 


67 


69 


.6E 


2D 


74 


6F 


} hi { margin -to 


01A4B360 


70 


3A 


20 


30. 


2E 


34 


65 


78 


.3B 


20 


6D 


61 


.72 


67 


69 


6E 


p: 0.4ex; margin 


01A4B370 


2D 


62 


6F 


74. 


74 


6F 


6D 


3A 


.20 


30 


2E 


38 


.65 


78 


3B 


20 


-bottom: 0.8ex; 


01A4B380 


7D 


3C 


2F 


73. 


74 


79 


6C 


65 


.3E 


3C 


64 


69 


.76 


20 


63 


6C 


X/styleXdiv cl 


01A4B390 


61 


73 


73 


3D. 


6E 


3E 


3C 


73 


.63 


72 


69 


70 


.74 


20 


74 


79 


ass=n><script ty 


01A4B3A0 


70 


65 


3D 


27. 


74 


65 


78 


74 


.2F 


6A 


61 


76 


.61 


73 


63 


72 


pe=' text/jauascr 


01A4B3B0 


69 


70 


74 


27. 


3E 


61 


6C 


65 


.72 


74 


28 


27 


.43 


6F 


72 


6B 


ipt' >alertC'Cork 


01A4B3C0 


61 


4D 


49 


58. 


20 


5B 


48 


54 


.4D 


4C 


2B 


4A 


.61 


76 


61 


53 


aMIX [HTMWauaS 


01A4B3D0 


63 


72 


69 


70. 


74 


5D 


27 


29 


.3B 


3C 


2F 


73 


.63 


72 


69 


70 


cript ]' > ;</scrip 


01A4B3E0 


74 


3E 


3C 


21. 


2D M 






. 








. 








txt-B 



and it's been the same 
since Mozilla 1.0 in 2002 

thanks to Nicolas Gregoire! 



o 



file:///Z:/home/nicob/Ange/ - Mozilla {Build ID: 2002053012} 



File Edit View Go Bookmarks J_ools Window Help 



Back 



Forward Reload Stop 



4fc file : ///Z : /home/nicob/Ange/corkarnix . html 



v ;y Search 



^ Home vjfc Bookmarks f The Mozilla Organiza , , , Latest Builds 



[JavaScript Application] 



CorkaMIX [HTML+JavaScript] 



OK 



,1 1 








<Mr ill ^ 1 l£ 


Document: Done (0.159 sees) 



File Edit View Go Bookmarks Tools Window Help 



Print 



Back Forward Reload 5top ' 



^jHorne | ^Bookmarks The Mozilla Organiza, , , .^Latest Builds 




H 



Mozilla 1.0 

Mozffla/50 (Windows; U; Windows NT 5.1, en-US; rv:l.Q.O) Gecko/20020530 



■ Copyright © 1998-2002 by Contributors to the Mozilla codebase under the Mozilla Public License and 
Netscape Public License . All Rights Reserved. 

■ Portions of this software are copyright O 1994 The Regents of the University of California. All Rights Reserved. 
^at d£L IQD I Document: Done (0.431 sees) 



now, the PDF format 



signature position? 

• officially at offset 0 

• officially tolerated until offset 1024 

• wtf? 

o it get actually worse later 



7.5.2 



File Header 



The first line of a PDF file shall be a header consisting of the 5 characters %PDF- followed by 
number of the form 1,N, where N is a digit between 0 and 7. 



3.4.1 /'File Header' 



00 00 e 

00 00 00 

00 00 m 

00 00 00 

00 00 00 

00 00 00 

00 00 00 




mum 



13. Acrobat viewers require only that the header appear somewhere within 
the 



first 1024 bytes of the file 



PDF trick 1 



put a small executable within 1024 bytes 

(just concatenate) 



nai contacts nation PEPDF 


>ls -1 
total 2 

krw-rw-rw- 1 user group 
hrwxrwxrwx 1 user group 


191 Mar 10 2011 hello wo rid 
268 Sep 7 11:29 tiny.exe 


.pdf 


>copy tiny.exe+he lloworld.pdf 

tiny .exe 

Die llo world . pdf 

1 file<s> copied. 






>tiny.exe 

* 268b universal tiny PE <XP-U7x64> 






>ls -1 
total 2 

krw-rw-rw- 1 user group 
^ruxruxrux 1 user group 


191 Mar 10 2011 hello wo rid 
460 Sep 20 10:37 tiny.exe 


.pdf 



tiny.exe - A.. 



\e1 



File Edit View Window 
Help x 



/ 1 



13.4% 



Hello World! 



trick 2 



1 . start a fake PDF + object in a PE header 

2. finish fake object at the end the PE 

3. end fake object 

4. put PDF real structure 

works with real-life example! 

(PE data might contain PDF keywords) 



AFRO - 
















PE 


] 25 


-50 


44 


46 


2D 


-31 


2E 


34 


m 


-6F 


I 73 


-74 


72 


65 


61 


-6D 


m 


00 


00 


-00 


) 00 


-00 


00 


00 


00 


-00 


00 


00 


00- 


-00 



PE .01000002 I Hie u 8.22 <c>SEN 



/ ISO 



47% 



.01000000: 4D 5fl 

.01000010: 3C 3E 3E 73-74 72 65 61-6D 

.01000020: 00 00 00 00-00 00 00 00-00 



<si Hiew: INOTEPAD.EXE I 3 NOTEPAD.EXE - Adobe Reader 



d : \NOTEPAD . Window Help 



.010139C0: 00 

I.010139D0: 00 

|.010139E0: 00 

SS.010139F0: 6E 

I 00010E00: 25 

I 00010E10: an 

I 00010E20: 65 

| 00010E30: 32 

i 00010E40: 29 

| 00010E50: 74 

I 00010E60: 66 

i 00010E70: 3E 

| 00010E80: 5B 

I 00010E90: 6E 

§ 00010EA0: 31 

| 00010EB0: 6E 

I 00010EC0: 29 

I 00010ED0: 68 

| 00010EE0: 2E 

I 00010EF0: 74 

I 00010F00: 66 

| 00010F10: 4D 

I 00010F20: 74 

| 00010F30: 35 

ft nnn^flu^in- la 



Tooh 



Zythom 

Dans la peau d'un iufQiniaticien 
expert judiciaiie 



Tomel 
L' age d"or eat devour nous 



ieu 8.22 <c>SEN 



n ds t re anEJe n do b j H 

01 0 objJ^<</Typ 
e/Catalog/Pages 

2 0 R/Lang<fr-FR 
> /StructTreeRoo 
t 764 3 B/Harkln 
Fo<</Marjked true 



! P Untitled - Notepad 


1- 


File Edit Format View Help 




J 








1 ^UCJ, 





Sfnum- rnr-r nUui ifmrl ;iu . rEtrr ulIk ui:r 



JAR = ZIP + Class 

just enforced at the very end of the file 




but CRCs are just ignored 



it was too easy :p 



yasm -o test -jar zip. asm 



>unzip -lu test -jar 
Archiue: test. jar 
Length Method Size 



0 

35 
299 



Stored 
Stored 
Stored 



0 

35 
299 



Ratio Date Time 

&•/. 00/00/80 00:00 
0Z 00/00/80 00:00 
00/00/80 00:00 



CRC-32 

00000000 

deadbeef 
0badbabe 



Name 

META-INF/ 

META-I NF/MANI FEST . MF 
test .class 



334 



334 



3 files 



>unzip -t test. jar 
Archive: test. jar 

testing: META-INF/ -QU . 

testing: META-I NF/MANI FEST .MF bad CRC 8391c53a <should be deadbeef > 

testing: test. class bad CRC 7846a510 <should be 0badbabe> 

At least one error was detected in tesu.jar. 



>jaua -jar test. jar 

[Jaua: Uorkingf <uith wrong CRCs> 



Summary 



Structure 



1. start 

o PE Signature 

■ %PDF + fake obj start 

■ HTML comment start 

2. next 

o PE (next) 
o HTML 
o PDF (next) 

3. bottom 

o zip 



it's time for a real example! 

an inception demo! 
wait, what? 



we're already in the demo! 



the live version file is simultaneously: 

• the PDF slides themselves 

• a PDF viewer executable 

o ie, the file is loading itself 

• the PoCs in a ZIP 

• an HTML readme 

with JavaScript mario 



o 






- ~§J r J 

HTML 




so, it works 



but it lacks something 

• not artistic enough 

• not advanced enough 

let's build a 'well representative' (=nasty) PoC 



the PE specs 



• Official MS specs = big joke 

o 'the gentle guide for beginners' 
o barely describes standard PEs 



00 00.00 
00 00.00 
00 00.00 
00 00.00 
00 00 00 
02 01. 0B 
00 00 38 
40 00.01 
00 00.04 
00 00.00 
00 00.00 
00 00.00 
00 00.00 
00 00.00 
00 00.00 
00 00.00 
00 00 00 
00 00.00 
00 00.00 

00 3H.6A 

00 00. 



00.00 00 

00.00 00 

00 00 00 

00.40 00 

00.00 00 

00 00 00 

00 00 00 

00.01 00 

00.00 00 

00.03 00 

00.00 00 

00.00 00 

00.00 00 

00.00 00 

00.00 00 

00.00 00 

00 00 00 

00 00 00 

00 00 00 

C3.00 00 



HTllfl H 0=T=i@IL=TTh 
is program canno 
t be run in DOG 
node . J"JS5 

liFz ru\z ki]z3ii\z 
"KAnz 1f2|!u\z 
ii^JW\z]§^Ki\z 
RichftuNz 

PE da* 
I FT" = " 

8B0 I XB 
p5 Y 0 

► B # 0 * 0 
* 0 P¥ * 

I"t¥ B 0Li Q 
►0 V 
V V 

°± ,0 
00 '±0 00 -I* 
0¥ =1 

►n 8 



PE da* 



.text p s ► 
i * 

1 .rdata 
'1 L 2 « 

0 0 
.data D( 0 
t a 

0 L .pdata 
H* 00 Q ° 

0 0 
.rsrc '±0 00 

>0 0 

0 0.reloc 
1 0¥ B >B 
0 B 



imports 



(imports = communication between executables and libraries) 

imports are made of 3 lists 



1 Imports 



IMAGE_IMPORT_DESCRIPTOR 
88+4 ON gi nalFirStThunk/Charaeteristics — 

84+4 Ti meDateStamp 

98+4 ForuarderChain 



9 C +4 Name 

i8+4 Fi rstThunk 



Kernel32.d1 1 




I MAG E_THUNK_DATAt32/M) 

+a +4 RddressOfData — 



/Or d i nal /ForuarderStririg/Fiirictior, 



1 



I 



IMAG E_TH U N K_DATA«i/6« 

+8 +4 RddressOfData 

/Ordinal /Forwarders tr ing/Funct i on 



□ 



I MAG E_I MPO RT_B Y_N AM E 
aa+2 Hint' 
92+i Name[*] 



<address> 



<library> < ap i > <hint> 



evil imports 



let's make these lists into each other 
with more extra tricks to fail parser! 



loo dd AddressOfData - 

[oooooooo 

Oc dd Name 



10 FirstThunk 



termma tor 

msvcrt.dll ' ,0^ 



1 



00 dw Hint: 0 
02 db Name: 'printf ,0 

10 FirstThunk 00000000 



ultimate import fail 



failing all tools 

o including IDA & Hiew 

now fixed :) 




^ Warning 



I 



The imports segment seems to be destroyed. This MAY mean that 
thefile was packed or otherwise modified in order to make it 
more difficult to analyze. If you want to see the imports 
segment in the original form., please reload it with the 
'make imports section' checkbox cleared, 



OK 



Don't display this message again 



let's put some code 



• some undocumented opcodes! 

• big blank spaces in Intel official docs 



Table A-2. One-byte Opcode Map: {00H - F7H) * 



1 1 c 


1 


2 


3 


4 


5 


6 


7 








D 


Eb, 1 


Shift C 
Ev, 1 


Brp 2 1A 
Eb, CL 


Ev, CL 


AAM i64 
lb 


AAD i64 
lb 




XLAT7 

XLATB 



















Table A-3. Two-byte Opcode Map: 08H - 7FH (First Byte is OFH) * 





pfx 


e 


9 


A 


B 


C 


D 


E 


F 


0 




INVD 




WBINVD 




2-byte Illegal 
Opcodes 




NOPEv 








1 




Prefetch 1C 
(Grp 16™} 


















NOPEv 



























let's check AMD's 

• miracle! 



Table A-1. One-Byte Opcodes, Low Nibble 0-7h 



Nibble 1 


0 


1 


2 


3 


4 


5 


6 


7 














D 


Eb, 1 


Groi 

Ev, 1 


ip 2 2 

Eb, CL 


Ev,CL 


AAM 3 


AAD 3 


SALC^ 


XI AT 



Table A-4. Second Byte of Two-Byte Opcodes, Low Nibble 8-Fh 



Prefix 


Nibble 1 


8 


9 


A 


B 


c 


D 


E 


F 


n/a 


0 


INVD 


WBINVD 


invalid 


UD2 


invalid 


Group P 2 
PREFETCH 


FEMMS 


3DNow! 

See 
'3D Now!™ 
Opcodes^ on 
page 351 


n/a 


1 


Group 16^ 


|NOF a 


NOP J 








NOF J 


NOP J 



result in WinDbg 

• '???' == clueless (tool/user) 

don't rely (only) on official docs 



D:\corfcamix.exe - Wi n Dbg :6. 12.0002. 63 1 XS6 



0 



File Edit View Debug Window Help 



Command 



0 : 000 > u 

image00400000+0xl38 : 

0040013S Of 

00400139 1838 
0040013b 685a004000 

00400140 fflE4b014000 

00400146 d6 

00400147 83c404 
0040014a c3 
0040014b b9c5037700 



??? 
.-bh. 



push 

LU.l 



??? 
ret 

IllOV 



1 



byte ptr [eax],bh 

offset image00400000+0x5a (0040005a) 
dword ptr [ imageO 0 4 0 0 0 0 0+0x1 4b (0040014b)] 

esp , 4 

ecx, 7703C5h 



|o""oOO> 






Ln 0, Col 0 


Sys 0:< Local> 


Proc 000:51c 


Thrd 000:d00 


ASM 


OVR 


CAPS 


NUM 



messing with PDF 



there is a so-called standard 



and the reality of existing parsers 
looking at: Adobe, MuPDF, Chrome 
• 3 different files 

o working each on a specific viewer 
o failing on the other 2 



fra standard-Sumatra. pdf - SumatraPDF 



File View Go To Zoom Favorites Settings Help 
1=1 JH | Page 



i n « ♦ | U H P P I w | 



f™ standard-adobe.pdf - SumatraPDF 
File View Go To Zoom Favorites Settings Help 
tB # | Pag= | + * | 3 ■ <* <* I Find | 



reaardii 




:tandard-:umatra.pdf 



<- -> G D file:///S:/t/standard-sumatra.pdf & 



Failed to load PDF document 



> G I D file:///S:/t/standard-adobe.pdf 



Failed to load PDF document 



Adobe Reader could not open 'standard-sumatra.pdf because it is either not a 
W' supported file type or because the file has been damaged (for example, it was 
sent as an email attachment and wasn't correctly decoded]. 



*JL' standard-adobe.pdf- 



[D 



File Edit View Window Help 



19.4% % 



khe PDF 



rw standard-crircme.pdt - SumatraPDF 




i = i s i » r 






File View Gc Tc Zoom Favorites 


Settings Help 




J3 4 | PagE P 


Find: 







standard-chrome.pdf X 



<- - C D file:///S:/t/standard-rtirame.pdf Q, tl O = 



Adobe Reader could not open 'standard-chrome.pdf because it is either not a 
supported file type or because the file has been damaged (for example, it was 
sent as an email attachment and wasn't correctly decoded). 



let's look inside 

• MuPDF 

o no %PDF sig required 

■ a PDF without a PDF sig ? WTF ?!?! 
o no trailer keyword required either 

• Chrome 

o integer overflows: -4294967275 = 21 
o trailer in a comment 

■ it can actually be almost ANYWHERE 

■ even inside another object 

• Adobe 

o looks almost sane compare to the other 2 



XPDF-1. 



IB 9 obj 
<< 

/Ccunt 8 
/Kids [<< 

/Contents 11 8 R 

/Resources << 
/Font << 
/Fl << 

/BaseFont /Rrial 

>> 

>> 

> > 
»] 

>> 

11 8 obj 
<< >> 
stream 
BT 

/Fl 140 
Tf 

(regardi ngjT j 

ET 

endstream 



<</Rcot<</Pages IB 0 R>>>> 



39 8 obj 

<< 



/Kids [<< 

/Parent 3B B R 
/Contents 31 9 R 

/Resources <<>> 



»] 

>> 

31 e obj 
<< >> 
stream 
BT 

/Fl 158 

Tf 1 0 0 1 1 9 
Tm(the PDF)Tj 

ET 

endstream 

endobj 

tr a i 1 er 

<</Root<</Pages 39 9 R>> 



sPDF 

29 9 Obj 

< < 

/Pages <■< 
/Kids [<< 

/Contents -4294967275 4294967296 R 



»] 

>> 

21 9 Obj 
<< >> 
stream 
BT 

110 
Tf 

( 'standard 
endstream 



...)Tj 



% trai 1 er 
<(/Root 26 0 R>> 



Chrome insanity++ 

(thx to Jonas Magazinius) 

• a single object 

• no 'trailer' 

• inline stream 

• brackets are not even closed 

• * are required - it just checks for minimum 
space 



All streams must be indirect objects (see Section 3.2.9, "Indirect Objects") and 
the stream dictionary must be a direct object. The keyword stream that follows 
the stream dictionary should be followed by an end-of-line marker consisting of 
either a carriage return and a line feed or just a line feed, and not by a carriage 



%PDF***** 
1 0 obj 

<< 

/Size 2 

/W[[]l/] 
/Root 1 0 R 

/Pages<< 

/Kids[« 

/Contents<<>> 

stream 

BT{99 

Tf{Td(Inlined PDF) ' 
endstream 

»] 

>> 

>> 

stream 

endstream 
startxref %******* 





iHl 




IZZI 

■ 





&/D ^\= 

C Qfile:///S:.Q'£? 



Inlined PDF 



PDF.JS 



very strict 

o 'too' strict / naive ? 

o I don't want to be their QA ;) 

requires a lot of information usually ignored 

o xref 
o /Length 



% PDF- 1.1 
1 Oobj 

« 
% 



endobj 
2 Oobj 



endobj 
3 0 obj 



/Type /Catalog 



/Type /Pages 



/Type /Page 
/Resources « 

/Font « 



/Type /Font 
/Subtype /Typel 



endobj 
4 0 obj 

« /Length 47» 
stream 



xref 
0 1 

0000000000 65535 f 
0000000010 00000 n 



Fiiefox [ 


i ■=■ 0 1 Es r 


L.J helloworkl-t|eneric,pElf 


| + 


n ♦ * W1-+ a | 


Mori Information 


H Close 1 




http: //mozilla. github. i.. ./viewer. html < [1/1] All 



let's play further 



combine 3 documents in a single file 

• it's actually 3 set of 'independant' objects 

• objects are parsed 

o but not used 



t 

fitt standard.pdf - SumatraPDF 


standard.pdf - Adobe Reader 


f*\. 




0 


S3 


File View Go To Zoom Favorites. Setting: 


File 


Edit View Window Help 








7 a 


Page 


1 


n + + H ED i 


1 


/ 1 


17.9% 






** 


- T 


<- e 






reaardinol 








the PDF 




'standard'... 





alternate reality demo 



the live slide-deck contains 2 PDF 

• bogus one under Chrome 

• real one under MuPDF (Sumatra, Linux...) 

• rejected under Acrobat 

o because of the PE signature (see later) 




final PoC 



combine most previously mentioned tricks 
many fails on many tools 
total control of the structure 

o the PDF 'ends' in the Java class 



>corkamix.exe 

CorkaMX [PE] 

>jaua -jar copkaniix.exe 

CorkaMIX [Java CLASS in JAR] 

>cmp -b corkamix.exe corkanix_lb.exe 
crip: EOF on corkamix .exe 

>pytlion corkamix_ib .exe 
CorkaMIX [python] 



orkanix.exe 
1 filets) 



corkanix. html 
opied . 



corkamiK.e> 



miK.exe - Adobe Readei 



ndow Help 



Tool 




CorkaMIX [PDF] 



corkamix, html 



^ JavaScript Alert 



CorkaMIX [HTML* JivaScript] 



db 'MZ 1 

; [.--] 

db ■spdf-i. ■ , aah 

db 'obj<<>>streaif , Bah 

db " <ntnl > 1 
; [--.] 

at IMfiGE_NT_HEflDERS. Signature, db ' PE" ,9,9 
; [---] 

db Bfh, ai3h, 111b « 3 
push rasg 

call [ Imp prlntf] 

sale 

; [.--] 

header: 

db TIC, 3, 4 
du Bah ; version needed 
; [--.] 

_dd BCflFEBHBEh ; signature 

du 3 ; aajor version 

_du 2dh ; minor version 

; [---] 

dd 9 ; length of bytecode 
GETSTHTIC : 
LDC 14 

INVOKEVIRTUHL 16 
RETURN 

du ; except ions_coum 
du 9 ; attributes count 



[...] 



Adobe rejects 'weird 
magics' after 10.1.5 

not in their own specs :p 



Adobe Reader 



File Edit View Window Help 



Portions copyright Right Hemisphere, Inc. 





□pen a Recent File 

Q corkarnix.exe 



Adobe Reader 



i \ Adobe Reader could not open 'corkarnix.exe' because it is either not a 
.^J supported file type or because the file has been damaged (for example, it was 
sent as an email attachment and wasn't correctly decoded). 



OK 



10.1.4 



10.1.5 



also in ELF/Linux flavor 



• starring a signature-less PDF 

o which won't run on other viewers 




corkaminuxpdf 



V- 



© S3 



<- CD file///S:/coi kaminux.pdf & 



Failed to load PDF document 



Adobe Reader 



^ Adobe Reader could not open 'corkamini.ix.pdf' because it is either not a 
■ supported file type or because the file has been damaged (for example, it was 
sent as an email attachment and wasn't correctly decoded). 




and Apple too 



PS: I don't have a Mac, this was built blindly 
Thanks to Nicolas Seriot for testing 



o o o 



»" corkamosx.pdf (1 page) 



I eH a a 1 1 Et 



» 



1 



o o o 



de 



$ nasm -o corkamosx mosx.asm 

$ java -jar corkamosx 

CorkaM-OsJC I Java ] 

$ chmod +x corkamosx 

$ . /corkamosx 

corkaM-osx 

5 cp corkamosx corkamosx.html 
% open corkamosx. html 
$ cp corkamosx corkamosx.pdf 
$ open corkamosx.pdf 

« D 




JavaScript 

CorkaM-OsX IHTML-JavaScript] 



CorkaM -QsX TPDF1 



OK 



why should we care? 



like washing powders 

security tools are selected: 

• speed 

• {files} — ► {[clean/detected]} 

file types not taken into consideration 



type confusion 



make the tool believe it's another type, which 
will fool the engine 

engine with checksum caching will be fooled: 

1. scanned as HTML, clean 

2. reused as PE but malicious 




iJ! irustotal 



SHA256: 2a9c7a16cdb3c312285afa1E1072dd5e7cc022e971351 cad6234a13e52 161389 

SHA1 : e27faaa006229f8e4ab97fba7019dc9f2797184d 

MD5: 88cad2b56ab67b43794a0f7a4e690fd5 

File size: 1.5 KB ( 1530 bytes ) 

File name: corkami |t*exe | 

File type: PDF 

Tags: 



engine exhaustion 

rankings in magazines are based on scanning 
time 

— > scanning per file must stop arbitrarily 
— ► waste scanning cycle by adding extra 



formats 




BREATHLESS 



Weaknesses 



• evasion 

o filters — ► exfiltration 
o same origin policy 
o detection 

■ ex: clean PE but malicious PDF/HTML/... 

■ exhaust checks 

■ pretend to be corrupt 

• DoS 



Conclusion 



Conclusion 



• type confusion is bad 

o succinct docs too 
o lazy softwares as well 

• go beyond the specs 

o Adobe: good 

• suggestions 

o more extensions checks 
o isolate downloaded files 
o enforce magic signature at offset 0 



thank YOU ! 




http:// 

reverseengineering 

. sta ckexch a ng e . co m 

@angealbertini 

^ ange@corkami.com 



Bonus 



Valid image as JavaScript 



Highlighted by Saumil Shah 

• abusing header and parsers laxisms 

• turn a field into /* 

• close comment after the picture data 



Offset 




00000000 
00000010 
00000020 
00000030 
00000040 



01234567 



9 A B C D E F 



47 49 46 38 39 61 2F 2A 

00 00 2F 2k OA 00 00 02 

6C 65 72 74 28 22 48 65 

64 5C 6E 28 66 72 6F 6D 

69 6C 65 29 22 29 3E 



OA 00 00 FF 00 2C 00 00 

00 3E 2A 2F 3D 31 3E 61 

6C 6C 6F 20 57 6F 72 6C 

20 61 20 47 49 46 20 66 



Ascii 



GIF89a/* ,.. <-Format data 

. ./* ;*/=l;a <-Format data - 

lert( "Hello. Worl <-Foreigti data 

d\n(from.a.GIF.f 

ile)"); 



For... 



BP 

—^K gifjs.html 

G D view-source:file:///S:/gif/gifjs.html 



«- ■ ► X I 0 f i I e:///S:/gi f/gi fj s.htm I 



<html><body> 

<iitig src=" ciif Is ■ gif "> 

<scrlpt 5ce=" cfifi5.crif "></5CEiiit> 

</body></html> 



Q~ JavaScript Alert 



53 



Hello World 
(from a GIF file] 



